Posted
by
samzenpus
on Wednesday August 04, 2010 @07:55PM
from the rotten-apple dept.

Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."

Though you do bring up an interesting point. iOS is the biggest mobile operating system player right now, and even with that large market share, so far nobody has turned all of those iPhones into a botnet. If Windows had the same bug, we would have millions of maliciously compromised systems by now. What gives?

The really funny thing is, that by adding those words they made the statement wrong - there are patches (PDF for sure), already in 4.1. 4.1 includes a PDF fix for a Mac OS X vulnerability reported on well before this week.

I don't know if this scenario is valid, as I don't have an iPhone that can run iOS4. But here goes anyway.

So someone takes their iPhone and jailbreaks it. The two bugs that allowed this are still present in the jailbroken phones so the phones can also be pwned by anyone who comes up with a different exploit that uses these bugs. Clearly the phones can't be updated to 4.1 (as they are jailbroken) so unless someone produces patches independently of Apple they will remain in these jailbroken phones until they are discarded or reset to the official post 4.1 iOS. I wonder how many non-geeks who are persuaded to jailbreak their phones will realize this.

Here's the root of the issue. When someone decides to use an exploitable bug for their own purposes they are not doing any favors for themselves or their users. Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

while this exploit shows that you have to also consider malicious data which injects code via existing "vetted" apps

That implies if an app store app had a security issue it would be an issue beyond that application. That is generally not the case since the apps are all well sandboxed and cannot affect the system. Messing with an approved app via some flaw would usually get you nothing but a corrupted app. You can't even modify the app binary from the app itself...

I'm not even sure breaking an app would be able to get you to the same system privilege exploit break Safari is able to reach, since Safari is a system app that possibly has slightly more leeway in access to the system.

I await the audible or visual hack that gets a malicious pattern in through the microphone or camera, and then triggers bugs in the apps that try to do clever things with sound, image, or video!

I've read about that concept before and it's a cool thought experiment, but in reality I don;t think that's a practical line of attack since the full range of possible data from those forms of input is so well understood by things processing it and so limited in scope. Anything going in through the camera is going to have pixels with RGB values ranging from 0 to 255 in an array of pixels at a specific size, there's just no input you could give that would break anything. Basically the A/D converters are acting as a kind of firewall for your input, preventing data outside the extremes to be processed

MAYBE you could devise some kind of sequence that would break the autofocus system when presented with a specific set of targets, but even then could you inject code once you had broken AF? It seems well beyond practical to be able to do so even just for research purposes.

How about when the camera starts to do face recognition (like most point-and-shoot digicams do today) and also starts to recognize bar codes and the square patterns like the ones that the Android app store uses? How about voice recognition and commands built into the machine? The smarter you make these things, the more complex they become. At a certain level of complexity, you lose assurance that the security works properly. It takes exponentially more time to vet the system as the complexity increases.

The issues here are choice and authorization. Who owns the device, you or apple? If such a 'feature' does not have a choice.. an option to opt out of the policing, then it is a malware back door no different than the one your chinese hacker put in. in fact it's worse because it'll never be found as such..in fact, it'll be marketed as a 'feature'.

Generally speaking, I don't either. But this aspect is used as I noted only in extraordinary cases.

seriously? and you're calling me naive? I'll leave you to imagine various political analogies about governments with runaway policing powers.

To my mind it's no different than when I used to have a Linux installation that I configured to automatically download a security update package every night - potentially that could have uninstalled any system app that went rogue. And that would have been fine with me.

Generally (no, not always), the linux distro guys are users themselves. their financial interests do not conflict with your user rights. If they implemented such a feature, they would tell you, and they would give you an option to turn it off. So, no, linux distros are not the same thing as the stuff coming from apple, microsoft et al. Generally, free software is user centric whereas commercial software is profit centric. As long as profits line up with user-interest everything is fine. When it doesn't...